Basically I’ve acquired a burner Android 8 phone and am running the target.com app which is the only way they let you get parking lot delivery at the store. I assume the Target app is spyware. I keep the phone powered off almost all the time which should limit the spying. The thing is, if I power up the phone and order something, then close the app, I still get an alert when the status of the order changes (e.g. it’s ready for pickup). So the app is still listening for network traffic from Target.

Can anyone explain what is happening in Android and whether there is a way to make an app really stop? Does the app stay in a running state even after I’ve closed the UI part of it? Is there somethng like an inetd in Android that listens for network alerts and re-launches the destination app? Are there Android app permissions associated with this, that I can revoke?

I don’t want to run this type of app on my main phone, but I had at first liked the idea of using a burner for such things. Now, though, I wonder if I need a separate burner for each suspicious app. Thanks.

  • TachyonTele@lemm.ee
    link
    fedilink
    English
    arrow-up
    37
    arrow-down
    4
    ·
    edit-2
    3 days ago

    I definitely use a different burner phone for every app. It’s obviously the only sane way to use apps. Ive got my email phone. My weather phone. My alarm phone. A phone for each one of my contacts. Right now Im on my lemmy-only phone, with all of the others powered off and in thier separate faraday bags. Having a separate phone just for the app I use to order something is a must. How dare they tell me the status of the order I paid for? Who do they think they are!? On Sundays I use my magnet wand and wipe each and every phone, just to be sure.

      • AmidFuror@fedia.io
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        3 days ago

        Needs to include “I have no friends, my family are all horrible, and people of the opposite sex don’t pay me any attention” to get closer to average.

    • solrize@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      6
      ·
      edit-2
      3 days ago

      I realize you’re being facitious but as a matter of fact, the Target app (plus Google Play) are the only apps I have installed so far that didn’t come from F-droid. Google Play was needed to install the Target app. I figure that the F-droid apps have had enough vetting that I tend to not worry about them too much. I have never installed or used Google Play on my “real” phone. I only installed it on the burner in order to install the target app there.

      I confess to occasionally using some of the preinstalled google apps on my main phone, such as the camera app. I will get around to checkng out F-droid versions one of these days.

  • dan@upvote.au
    link
    fedilink
    English
    arrow-up
    23
    ·
    edit-2
    3 days ago

    What are you trying to protect against? Having a separate burner phone just for Target feels like overkill to me. If you’re worried about Target spying then why not just go into the store to buy things, and pay in cash?

    Can anyone explain what is happening in Android a

    It’s using Firebase Cloud Messaging which is a Google service

    Are there Android app permissions associated with this, that I can revoke?

    You can revoke notification permissions for an app, but then you won’t get notifications of course.

    • r00ty@kbin.life
      link
      fedilink
      arrow-up
      7
      ·
      3 days ago

      Just to expand on this. The app likely isn’t always running in the background listening (since that’s what it seems the op thinks). The push message causes the android system to wake the app to deal with the message. Otherwise it’s not actively running (and you can limit background running in android settings per app).

    • solrize@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      2
      ·
      edit-2
      3 days ago

      I prefer to avoid going in the Target store because of the long waits and for healh reasons. Parking lot pickup is preferable. Also, I sometimes have to take my mom with me when shopping. She is elderly, has serious mobility problems, and is probably more susceptible than most people to airborne pathogens from the holiday shoppers in Target. So it’s way easier and safer for us to sit in the car and let Target staff bring the stuff to us, instead of going into the store. Plenty of other people order everything from Amazon for similar sorts of reasons, and at least this avoids a lot of packaging and shipping.

      It’s not like I went to great lengths to get the burner phone to run the Target app. I had the phone anyway, and the Target app seemed like a good use for it.

      Installing the Target app from Google Play requires a Google Play account, and I didn’t want that on my main phone either. Plus using the Target app requires a target.com account, besides having the app itself installed. So the burner phone actually separates off three annoying things: 1) Google Play account, 2) target.com account, 3) Target app.

      Thanks for the info about Firebase Cloud messaging. What I’m wondering now is, does the target app have to keep running to receive those messages? That means it’s potentially continuously collecting the phone’s location. That’s part of the reason I keep the phone powered off. Location permission is emabled because that makes parking lot pickup a little faster. Basically they juggle their order queue to prioritize users who are getting close to the store. So I turn on the phone and start the app when I’m a few miles away from the store.

      I guess I could keep location permission disabled except when needed, but that’s more nuisance, and anyway there’s still data collection possible from other sensors and the availability of the network.

      • WolfLink@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        8
        ·
        3 days ago

        What I’m wondering now is, does the target app have to keep running to receive those messages?

        No it doesn’t. What’s happening is target’s webserver sends a message to Google’s webserver, which sends a message to your phone, which is displayed by the OS. The Target app doesn’t need to be launched for this and won’t be launched unless you tap on the notification, which typically launches the associated app.

        That means it’s potentially continuously collecting the phone’s location.

        Target’s app isn’t doing this, although they probably do record what you bought from which target and when.

        Google can / probably is continuously collecting the phone’s location, to some extent. Your cell service company can do this too.

      • limerod@reddthat.com
        link
        fedilink
        English
        arrow-up
        6
        ·
        3 days ago

        Can’t you use the target website? There’s hermit for web apps which can sandox websites for you.

        Using android 8 will mean you are using a vulnerable OS so stuff like this should be common. Newer android versions limit app activity and data collection.

        You can use apps like Shizuku and AppOps to limit permissions and data, apps can gather on you.

        • solrize@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          3 days ago

          The web site lets you order stuff for home delivery or for in-store pickup (you go into the store and wait a long time at the customer service desk). Gettnig stuff brought to the parking lot requires the app. It’s annoying and I don’t know why they do that. The app also needs network connectivity when you’re in the parking lot, to let them know which parking space you are in. I don’t have a working sim in the burner phone, so I bring another phone to use as a wifi hotspot, what fun.

          Other stores do let you order on the web for parking lot pickup, and then call a phone number once you get there, so Target just insists on being special.

          • limerod@reddthat.com
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            3 days ago

            You can highlight via email to target. Or consider getting your order close to your home.

            • solrize@lemmy.worldOP
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              1
              ·
              edit-2
              3 days ago

              What do you mean by highlight via email? Target is reasonably close to here. There is not really anyplace closer for kitchen stuff etc. There are a few grocery stores that are closer and I do use those. Anyway this is getting way off topic. I mostly just wanted to know what was going on inside Android resulting in the app’s observed behaviour. My shopping practices are the best I can do given my requirements, as far as I can tell.

              • limerod@reddthat.com
                link
                fedilink
                English
                arrow-up
                3
                ·
                edit-2
                3 days ago

                Highlight the fact that the website doesn’t work for ordering stuff to the parking lot. I was going to suggest social media but then I realized you wouldn’t be using one in the 1st place. Nevermind

  • jqubed@lemmy.world
    link
    fedilink
    English
    arrow-up
    14
    ·
    3 days ago

    A separate burner seems like overkill. I’m no expert, but I think an Android service manages the push notifications and wakes up the app when it receives a notification.

  • moonlight@fedia.io
    link
    fedilink
    arrow-up
    4
    ·
    2 days ago

    The notifications are coming from Google Play Services.

    Look into GrapheneOS. They have a sandboxed play services implementation, and you can have multiple sandboxed users, e.g. one for foss apps, one for google and proprietary apps.

    Also try TrackerControl on f-droid, it lets you block trackers from apps. You’ll still have Google to worry about though.

  • brb@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    4
    ·
    3 days ago

    You can check if the app keeps running in Settings > System settings > Developer options > Running services

  • fodderoh@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    3 days ago

    There is a setting in the app permissions that is typically enabled by default to allow the app to run in the background. You can disable it, but I believe it is a per app setting.

    Alternatively, if you turn on battery saver, I believe that turns off background app usage.

    • dan@upvote.au
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      3 days ago

      There is a setting in the app permissions that is typically enabled by default to allow the app to run in the background.

      That’s not how notifications work though. Most apps on Android use Firebase Cloud Messaging for notifications. Your phone has a constant connection to a Google server, and all notifications come in via that connection. The phone receives the notification and tells the relevant app.

      Some apps have their own connection (for example, email apps will often connect directly to an email server and use IMAP IDLE) but it’s not very common.

  • ERROR: Earth.exe has crashed@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    5
    ·
    3 days ago

    Okay, so this is not really to answer your question, but I don’t think you needed a separate phone just for one app. You could’ve just use a “work profile” to put that app inside, and whenever you don’t need the app, you can turn off the work profile, and its effectively like that part of your phone being turned off.

    I use an app called Shelter to do this.

    Apps in “Work Profile” are effectively the same as if it were on another phone, they cannot access the data on your main profile.

  • BearOfaTime@lemm.ee
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    3 days ago

    The app has registered for a receiver that’s handled by Google Cloud Messaging/Firebase.

    When a message for that app is received by GCM, a broadcast is fired specifically for that app and wakes it up.

  • amogussussywussy@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    1
    ·
    3 days ago

    Just droppin some extra info: You can use the aurora store to download apps from the google play store without a google account (Note: some apps can detect that you didn’t download it from the google play store, although I only encountered that once with a banking app, so to get around that I begrudgingly created a burner google account to download it.)

    • solrize@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 days ago

      Yes I think there’s also an fdroid app that does that. But except for a few unusual cases I generally don’t want to run Play store apps anyway. Target is the first one so far. I’ve gotten by without banking apps and expect to keep doing so.